aboutsummaryrefslogtreecommitdiff
path: root/src/lib/kadm5/srv
AgeCommit message (Collapse)AuthorFilesLines
2010-08-31For the password quality interface:Greg Hudson5-11/+17
* Add a languages argument to the check method to allow localization of error messages (currently no languages are ever passed, though). * Add an error code KADM5_PASS_Q_GENERIC. * In most built-in modules and the combo module, set an error message with krb5_set_error_message. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24279 dc483132-0cff-0310-8789-dd5450dbe970
2010-08-28Revise the password quality pluggable interface to match the projectGreg Hudson7-116/+366
page: * Modules receive the policy name but not the policy object. * Enforcement of password policy is out of the interface's scope. * Built-in modules are: empty, dict, hesiod, princ. * The consumer API loader takes care of open/close, so there is only a wrapper function for check. The project page is at: http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24266 dc483132-0cff-0310-8789-dd5450dbe970
2010-08-26Create specific error codes for plugin-related failures, now that weGreg Hudson2-2/+2
have an expansion error table to hold them in. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24260 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-26In the plugins2 branch, untabify new files which accidentally usedGreg Hudson3-32/+32
tabs in indentation. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24214 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-26In the plugins2 branch, rename "init" to "initvt" in all reference toGreg Hudson4-7/+7
module vtable initializer functions. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24213 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-23On the plugins2 branch, add a comment to pwqual_dict.c labeling thatGreg Hudson1-0/+2
file as a password quality module. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24205 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-22Proof of concept code for a candidate plugin frameworkGreg Hudson9-356/+505
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24203 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-08Create a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modulesGreg Hudson1-1/+2
should return in-realm aliases. Set it where appropriate, and use it in the LDAP module instead of intuiting the result based on other flags. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24178 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-06Remove count parameters from get_principal, put_principal,Greg Hudson4-292/+244
free_principal, delete_principal, and get_policy. Make get_principal allocate the DB entry container. Fold krb5_db_get_principal_ext into krb5_db_get_principal. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24175 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-02Remove verify_master_key from the DAL table, as well as its associatedGreg Hudson1-12/+0
libkdb5 interface. Callers can (and mostly already do) use krb5_fetch_mkey_list to verify master keyblocks. Adjust tests/create, tests/verify, and kdb5_util dump to do so. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24166 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-02Rename krb5_dbekd_encrypt_key_data and krb5_dbekd_decrypt_key_data toGreg Hudson2-33/+22
just use the krb5_dbe prefix. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24164 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-02Remove the set_master_key and get_master_key DAL interfaces and theirGreg Hudson1-1/+0
corresponding libkdb5 APIs, as they were not productively used. In kdb5_ldap_util, stop using the realm data's mkey field as a container to communicate the master key to static helper functions, since the field no longer exists. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24162 dc483132-0cff-0310-8789-dd5450dbe970
2010-06-07make dependGreg Hudson1-20/+21
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24119 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-04Remove some unused fields from kadm5_config_params. Bump the clientGreg Hudson1-1/+1
and server sonames. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23969 dc483132-0cff-0310-8789-dd5450dbe970
2010-03-11Lazy history key creationGreg Hudson1-38/+37
Create kadmin/history lazily when we need it (i.e. when a password is changed on a principal with a policy) instead of whenever we open the database. Allows kadmin.local to be used as a read-only tool on non- kadmin-conformant database back ends such as the Samba bridge. ticket: 6679 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23799 dc483132-0cff-0310-8789-dd5450dbe970
2010-02-24Two problems in kadm5_get_principal mask handlingGreg Hudson1-6/+8
KADM5_MOD_NAME was being applied to entry->principal instead of entry->mod_name. KADM5_MKVNO was not being applied to entry->mkvno. Patch from Marcus Watts <mdw@umich.edu>. ticket: 6668 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23749 dc483132-0cff-0310-8789-dd5450dbe970
2010-02-11Minimal support for updating history keyGreg Hudson3-129/+99
Add minimal support for re-randomizing the history key: * cpw -randkey kadmin/history now works, but creates only one key. * cpw -randkey -keepold kadmin/history still fails. * libkadm5 no longer caches the history key. Performance impact is minimal since password changes are not common. * randkey no longer checks the newly randomized key against old keys, and the disabled code to do so in setkey/setv4key is gone, so now only kadm5_chpass_principal_3 accesses the password history. ticket: 6660 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23716 dc483132-0cff-0310-8789-dd5450dbe970
2010-01-28Handle migration from pre-1.7 databases with master key kvno != 1Greg Hudson1-1/+2
krb5_dbe_lookup_mkvno assumes an mkvno of 1 for entries with no explicit tl_data. We've seen at least one pre-1.7 KDB with a master kvno of 0, violating this assumption. Fix this as follows: * krb5_dbe_lookup_mkvno outputs 0 instead of 1 if no tl_data exists. * A new function krb5_dbe_get_mkvno translates this 0 value to the minimum version number in the mkey_list. (krb5_dbe_lookup_mkvno cannot do this as it doesn't take the mkey_list as a parameter.) * Call sites to krb5_dbe_lookup_mkvno are converted to krb5_dbe_get_mkvno, except for an LDAP case where it is acceptable to store 0 if the mkvno is unknown. ticket: 6650 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23676 dc483132-0cff-0310-8789-dd5450dbe970
2010-01-19Change basename of libkadm5 libraries to avoid Heimdal conflictGreg Hudson2-1/+6
ticket: 6644 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23662 dc483132-0cff-0310-8789-dd5450dbe970
2010-01-14Make history key exempt from permitted_enctypesGreg Hudson1-7/+7
In kdb_init_hist, just use the first key entry in the kadmin/history entry. This makes the history key work even if the enctype is disallowed by allow_weak_crypto=false or other configuration. ticket: 6640 tags: pullup target_version: 1.8 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23657 dc483132-0cff-0310-8789-dd5450dbe970
2010-01-08Restore interoperability with 1.6 addprinc -randkeyGreg Hudson1-0/+28
The arcfour string-to-key operation in krb5 1.7 (or later) disagrees with the dummy password used by the addprinc -randkey operation in krb5 1.6's kadmin client, because it's not valid UTF-8. Recognize the 1.6 dummy password and use a random password instead. ticket: 6626 tags: pullup target_version: 1.8 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23610 dc483132-0cff-0310-8789-dd5450dbe970
2010-01-07When retrieving the kadmin/history key, accept any enctype, as theGreg Hudson1-2/+2
current master key enctype may not match the one the KDB was created with. ticket: 6546 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23607 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-28Anonymous support for KerberosSam Hartman2-0/+14
This ticket implements Project/Anonymous pkinit from k5wiki. Provides support for completely anonymous principals and untested client support for realm-exposed anonymous authentication. * Introduce kinit -n * Introduce kadmin -n * krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache * No longer generate ad-initial-verified-cas in pkinit * Fix pkinit interactions with non-TGT authentication Merge remote branch 'anonymous' into trunk Conflicts: src/lib/krb5/krb/gic_opt.c ticket: 6607 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-22Consolidate Makefile variables now that we have only a single globalGreg Hudson2-101/+101
configure script: $(SRCTOP) --> $(top_srcdir) $(srcdir)/$(thisconfigdir) --> $(top_srcdir) $(thisconfigdir) --> $(BUILDTOP) $(myfulldir) --> $(mydir) ticket: 6583 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23308 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-18minor reindentZhanna Tsitkov1-24/+16
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23286 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-04Reindent and manually restore some BSD-style files that wereTom Yu1-34/+34
previously incorrectly marked as krb5-style. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23126 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-03Reindent after making fixes for emacs-23Tom Yu1-2/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23123 dc483132-0cff-0310-8789-dd5450dbe970
2009-10-31make mark-cstyleTom Yu12-2633/+2641
make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
2009-10-27Heimdal DB bridge plugin for KDC back endGreg Hudson1-1/+3
Merge Luke's users/lhoward/heimmig branch to trunk. Implements a KDC back-end plugin which interfaces to a Heimdal HDB plugin. ticket: 6578 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23073 dc483132-0cff-0310-8789-dd5450dbe970
2009-10-25Account lockoutGreg Hudson4-6/+69
Merge Luke's users/lhoward/lockout2 branch to trunk. Implements account lockout policies for preauth-using principals using existing principal metadata fields and new policy fields. The kadmin API version is bumped from 2 to 3 to compatibly extend the policy_ent_rec structure. ticket: 6577 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970
2009-10-10Move destest to builtin/des, because it depends on overriding someTom Yu1-14/+18
internals. Make depend. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22877 dc483132-0cff-0310-8789-dd5450dbe970
2009-09-21Improve the mechanism used for addprinc -randkey. In the kadminGreg Hudson1-12/+23
server, if the password is null when creating a principal, treat that as a request for a random key. In the kadmin client, try using the new method for random key creation and then fall back to the old one. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22782 dc483132-0cff-0310-8789-dd5450dbe970
2009-09-16Re-run make depend without autoconf.h in the source treeGreg Hudson1-58/+56
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22775 dc483132-0cff-0310-8789-dd5450dbe970
2009-09-16Crypto modularity proj.: Move prf and random-to-key ops from backend to krbZhanna Tsitkov1-56/+58
bigredbutton: whitespace git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22769 dc483132-0cff-0310-8789-dd5450dbe970
2009-08-17Bump sonames of libkadm5 libraries, since r22527 changed their ABIsGreg Hudson1-1/+1
ticket: 6547 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22528 dc483132-0cff-0310-8789-dd5450dbe970
2009-08-17Modify kadm5 initializers to accept krb5 contextsGreg Hudson1-27/+11
Add krb5_context parameters to all kadm5 initialization functions. This allows extended error information to be retrieved by the caller when an error is returned. ticket: 6547 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22527 dc483132-0cff-0310-8789-dd5450dbe970
2009-08-17Remove unused variables resulting from r22521, and also remove theGreg Hudson2-36/+0
unused file svr_misc_free.c. ticket: 6544 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22523 dc483132-0cff-0310-8789-dd5450dbe970
2009-08-13Remove kadmin v1 API supportGreg Hudson5-229/+62
The kadmin v1 API and the even older ovsec_kadm_* API were legacy when kadmin was first incorporated in 1996, and compatibility with them is no longer believed to be necessary. The uninstalled kadmin/passwd has been removed (since it used the ovsec API). The test suite has been updated to use the v2 API where appropriate, and the parts specifically designed to test the old API have been excised. ticket: 6544 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22521 dc483132-0cff-0310-8789-dd5450dbe970
2009-08-10Convert all uses of strtok() in libraries to strtok_r() for threadGreg Hudson1-3/+4
safety. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22513 dc483132-0cff-0310-8789-dd5450dbe970
2009-08-03Get "make depend" to work in an unbuilt source tree, since bad depsGreg Hudson1-0/+2
files can make it difficult to build the tree. To do this, make the depends target depend on generated header files and on header file copies or links into the main include directory. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22486 dc483132-0cff-0310-8789-dd5450dbe970
2009-06-06kadmind is parsing acls good deref NULL pointer on errorEzra Peisach1-13/+17
In kadm5int_acl_parse_line, if you setup an acl w/ restrictions (i.e. the four argument acl format) - but have an error parsing the first few fields, acle is NULLed out, and is then derefed. This adds a conditional and indents according to the krb5 c-style... ticket: 6509 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22403 dc483132-0cff-0310-8789-dd5450dbe970
2009-06-06kadm5int_acl_parse_restrictions could ref uninitialized variableEzra Peisach1-1/+1
The variable sp is never initialized. If the first argument to the function is null, the code falls through to freeing sp if valid. However, sp is never set. ticket: 6508 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22402 dc483132-0cff-0310-8789-dd5450dbe970
2009-05-07Allow more than 10 past keys to be stored by a policyGreg Hudson1-5/+2
Remove the arbitrary limit of 10 past keys in policies. We were not taking advantage of that limit in any other code. ticket: 6482 target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22323 dc483132-0cff-0310-8789-dd5450dbe970
2009-02-03prefer structure assignment to memcpyKen Raeburn1-1/+1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21876 dc483132-0cff-0310-8789-dd5450dbe970
2009-02-02Remove unnecessary pointer casts in args to free,memcpy,memset,memchr except ↵Ken Raeburn3-6/+6
unicode, windows code git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21875 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-30Master Key Migration ProjectWill Fiveash4-26/+172
Commit for the Master Key Migration Project. http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration This commit provides the ability to add a new master key (with an enctype differing from the current master key) to the master key principal and stash file and then migrate the encryption of existing principals long term keys to use the new master key. In addition deletion of master keys is provided. ticket: 6354 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21844 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-30Changed the name match_config_pattern to krb5_match_config_pattern. Check ↵Zhanna Tsitkov1-1/+1
strdup return code. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21838 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-29Introduced match_config_pattern function to find a pattern in the config ↵Zhanna Tsitkov1-0/+1
value strings git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21828 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-23Eliminate the need for the domain_realm mapping table on the client side by ↵Zhanna Tsitkov1-0/+1
implementing minimal referral support in the KDC git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21792 dc483132-0cff-0310-8789-dd5450dbe970
2009-01-23Add some output parameter initializations n order to eliminate someGreg Hudson1-1/+2
spurious Coverity defects. (Far from a comprehensive pass.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21782 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit v1.1 at 2024-08-01 23:42:49 +0000